System Center Configuration Manager Feedback

Ideas

What features would you like to see?

All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building System Center Configuration Manager, though we can’t promise to reply to all posts.

Standard Disclaimer – our lawyers made us put this here ;-) Please note that the System Center Configuration Manager feedback site is moderated and is a voluntary participation-based project. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos which you do not want to grant a license to Microsoft. See the “User Voice Terms of Service” link below for more information.

How can we improve Configuration Manager?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

When an admin closes an idea you've voted on, you'll get your votes back from that idea.

You can remove your votes from an open idea you support.

To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".

Tell us your idea

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

Configuration Manager is becoming more mission critical every day. The ability to Cluster the Site Server role (Inboxes & SMS Provider) is more and more important as that is the single point of failure for a Primary Site.

If the Site Server role goes down the Primary Site is down no matter how many Management Points or SMS Provider etc. exist.

If we could Cluster the Site Server or at least have 2 systems share that role for High Availability then this would no longer be an issue.

Even though we can designate multiple SMS Providers, if the site system itself goes down, consoles will not connect to ANY of these other providers. That’s because the console ALWAYS collects to the Site Server for a list of the SMS Providers every time a console is opened, so it’s not true SMS Provider redundancy if the Site Server goes down, no new consoles can connect.

Configuration Manager is becoming more mission critical every day. The ability to Cluster the Site Server role (Inboxes & SMS Provider) is more and more important as that is the single point of failure for a Primary Site.

If the Site Server role goes down the Primary Site is down no matter how many Management Points or SMS Provider etc. exist.

If we could Cluster the Site Server or at least have 2 systems share that role for High Availability then this would no longer be an issue.

Even though we can designate multiple SMS Providers, if the site system…

Current architecture around SCCM’s management of SQL configuration and maintenance is old and hard to use. It requires a lot of manual oversight, and manual SQL tasks. And the default SQL settings created by SCCM are non-optimal. SQL is a powerful beast. Rethink ways SCCM can use it better, and keep it more optimally tuned and configured. Rethink how to run maintenance and backup tasks without downtime or impact to the production sites and deployments (this especially becomes more important with features like Conditional Access, that can never really have downtime.)

Beginning with 2012SP1, we have the ability to add a CAS to an autonomous primary site. It could be interesting to reverse the proposition by having the ability to remove a CAS above a Primary when a CAS is no longer needed or has been set for a wrong reason.
I know that it could be done through creating another hierarchy and using migration tasks by this is quite difficult for it requires additional hardware.

In flat SCCM infrastructure deployment across multiple domains it becomes troublesome to perform User/Group/Forest/System discoveries in domains other than Site Server domain, especially in DMZ, this is because Site Server has to be able to talk to other domains domain controllers and security requirements not always allow that.

This could be improved upon if we could choose to perform AD related discoveries from Site Systems (for example MP or specialized role for that purpose) other than Site Server as illustrated in the picture attached.

With 1610, the Cloud Management Gateway feature arrived. Although it's a Pre-Release feature, as Cloud Solution Provider we're UNABLE to use/implement this. And so are our customers...!

When you try to set this up from the ConfigMgr console, a prerequisite is the Azure Management Certificate, which can't be configured as CSP-tenant because this needs the Classic Azure Portal (ASM). This is unacceptable for us, as CSP, as we would have to instruct our customers to get an Azure Subscription separately.

If an update is planned and servicing windows are defined, it would be necessary to check before the update is processed, if all requirements and conditions are fine e.g. all site server online, queues, link state and etc...

It would be helpful, to be able, to create a custom script in servicing windows and return true or false, to postpone the servicing if something is not running, are wrong. Otherwise the servicing is processed and could bring infrastructure in an worse state.

If you have deployed offline Service Connection Point, ServiceConnectionTool.exe now (in ConfigMgr 1511 - 1606) downloads ALL published ConfigMgr update packages when you use -connect parameter. E.g. if your site only requires post 1606 hotfix, ServiceConnectionTool.exe downloads 1602, 1606 installation packages although they are installed! Currently it will download over 7 GB of updates, when you just need about 25 MB update package. This is just waste of time, network traffic & disk space.

Please improve ServiceConnectionTool.exe, so it would only download the update packages that are applicable for the current installation.

Configuration Manager currently installs binaries and configures the SQL backup site component service on the database server, running under LocalSystem authority. Many environments have separate groups that host and manage the SQL Server enterprise environment, and do not allow for services or additional software to be installed on them, creating unnecessary conflict and drama when SCCM needs to be installed. SQL Server is a networked service, there shouldn't be a reason to install software on the database server running under a privileged account in order to leverage backup routines.

I would love to see both MDT and ADK integrated into all new Builds of ConfigMgr as optional Features. This enhancement would give Admins option to enable them if they choose or if they simply want to upgrade to the latest version. This alleviates the need to install MDT separately but more importantly, ends the guess work to determine what ADK is required to deploy the latest version of Windows. This enhancement will also provide a central repository for MDT and ADK by leveraging the Updates and Servicing node within the Admin Console.

The Microsoft Local Admin Password Solution (LAPS) is great because of the security it provides, but is not in widespread use because it isn't enabled by default and requires desktop/server teams to work together to implement.

Integrate the functionality of Microsoft LAPS into the ConfigMgr infrastructure.

This could include simple steps to control replace the group policy need with a new compliance item node, or could include completely supplanting of the functionality (similar to how MBAM makes it so you don't need AD for managing BitLocker recovery keys).

Anything that ConfigMgr can do to bring down the bar for securing local admin passwords would do a great service to organizations.

The Microsoft Local Admin Password Solution (LAPS) is great because of the security it provides, but is not in widespread use because it isn't enabled by default and requires desktop/server teams to work together to implement.

Integrate the functionality of Microsoft LAPS into the ConfigMgr infrastructure.

This could include simple steps to control replace the group policy need with a new compliance item node, or could include completely supplanting of the functionality (similar to how MBAM makes it so you don't need AD for managing BitLocker recovery keys).

Occasionally I forget to upgrade one of my ConfigMgr TP environments, and it expires. Once expired, the servicing node won't allow new TP releases to be installed. Remove this restriction, let me upgrade expired TPs with new TP releases so I don't have to reinstall and reconfigure.

Configuration Manager Current Branch (1602) Supports SQL Always On Availability Groups, however it only in a Synchronous-commit replicas.

From TechNet:
Asynchronous-commit mode. This availability mode is a disaster-recovery solution that works well when the availability replicas are distributed over considerable distances.

Synchronous-commit mode. This availability mode emphasizes high availability and data protection over performance, at the cost of increased transaction latency. A given availability group can support up to three synchronous-commit availability replicas, including the current primary replica.

This means that Configuration Manager can only support 3 secondary replicas in a SQL AO AG and they need to be in the same datacenter. Without the ability to support Asynchronous-commit replicas we cannot have replica groups that are Geo redundant and offer a more complete disaster-recovery solution. For many customers who use a different datacenter for the disaster recovery model the Synchronous-commit does not offer any improvement in recovery as a database would still need to be restored and a ConfigMgr Site Recovery still done. Having the option for an Asynchronous-commit can help to reduce the recovery time of Configuration Manager in the event of a disaster.

Another option would be to support Distributed Availability Groups for SQL 2016.

Configuration Manager Current Branch (1602) Supports SQL Always On Availability Groups, however it only in a Synchronous-commit replicas.

From TechNet:
Asynchronous-commit mode. This availability mode is a disaster-recovery solution that works well when the availability replicas are distributed over considerable distances.

Synchronous-commit mode. This availability mode emphasizes high availability and data protection over performance, at the cost of increased transaction latency. A given availability group can support up to three synchronous-commit availability replicas, including the current primary replica.

This means that Configuration Manager can only support 3 secondary replicas in a SQL AO AG and they need to be in…

It's a real pain to have to tear down and rebuild the MP replicas every time I want to install a servicing update. It would be great to have the update process automatically save the replica state, point the MPs at the primary DB, tear down the MP replicas, do the update and then put it all back.

The cloud distribution point Azure service gives the SCCM Client a list of Azure Blob Storage URLs to the content files of a package or application.
The client will then download via BITS directly from Blob Storage instead of downloading from the Cloud Distribution Point URL.
For many customers this is a problem because they have to open client firewalls for the hole Azure Datacenter IP Ranges or for the hole internet for the svchost which hosts the BITS service.

It would be great to have an option to switch the download behavior between two mode:
First Mode: The cloud distribution point as it is. The Client needs full access to the internet or at least to every Azure Datacenter IP.
Second Mode: Switch do a different download behavior so that every communication, even the download, will happen only with the cloud distribution point and not with the Azure Blob Storage.
If thats the case, the client only needs access to the cloud distribution point private virtual IP (VIP). Several customer would love that, because it only needs a simple configuration and
would decrease the attack surface if you use a VPN CLient with firewall and a simple split tunneling config. It also would simplify Proxy configurations.

The cloud distribution point Azure service gives the SCCM Client a list of Azure Blob Storage URLs to the content files of a package or application.
The client will then download via BITS directly from Blob Storage instead of downloading from the Cloud Distribution Point URL.
For many customers this is a problem because they have to open client firewalls for the hole Azure Datacenter IP Ranges or for the hole internet for the svchost which hosts the BITS service.

It would be great to have an option to switch the download behavior between two mode:
First Mode: The cloud…

When doing an upgrade to SCCM, it has been recommended to disable some, or even all of the site maintenance tasks. (per the upgrade checklist) Would be awesome to have a box on the Maintenance Tasks screen to temporarily disable ALL tasks while the upgrade is being performed. (as opposed to manually disabling all of them) An "upgrade/maintenance mode" box essentially!